1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Resource         ../../lib/utils.robot
9Library          ../../lib/gen_robot_valid.py
10Resource         ../../lib/bmc_network_utils.robot
11Resource         ../../lib/bmc_ldap_utils.robot
12
13Suite Setup      Suite Setup Execution
14Suite Teardown   LDAP Suite Teardown Execution
15Test Teardown    Run Keywords  Redfish.Login  AND  FFDC On Test Case Fail
16
17Force Tags       LDAP_Test
18
19*** Variables ***
20${old_ldap_privilege}   Administrator
21&{old_account_service}  &{EMPTY}
22&{old_ldap_config}      &{EMPTY}
23${hostname}             ${EMPTY}
24${test_ip}              10.6.6.6
25${test_mask}            255.255.255.0
26
27** Test Cases **
28
29Verify LDAP Configuration Created
30    [Documentation]  Verify that LDAP configuration created.
31    [Tags]  Verify_LDAP_Configuration_Created
32
33    Create LDAP Configuration
34    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
35    Get LDAP Configuration  ${LDAP_TYPE}
36    Sleep  10s
37    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
38    Redfish.Logout
39
40
41Verify LDAP Service Disable
42    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
43    ...  login.
44    [Tags]  Verify_LDAP_Service_Disable
45
46    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
47    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
48    Sleep  15s
49    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
50    ...  ${LDAP_USER_PASSWORD}
51    Should Be Equal  ${resp}  ${False}
52    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
53    Redfish.Logout
54    Redfish.Login
55    # Enabling LDAP so that LDAP user works.
56    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
57    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
58    Redfish.Logout
59
60
61Verify LDAP Login With ServiceEnabled
62    [Documentation]  Verify that LDAP Login with ServiceEnabled.
63    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
64
65    Disable Other LDAP
66    # Actual service enablement.
67    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
68    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
69    Sleep  15s
70    # After update, LDAP login.
71    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
72    Redfish.Logout
73
74
75Verify LDAP Login With Correct AuthenticationType
76    [Documentation]  Verify that LDAP Login with right AuthenticationType.
77    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
78
79    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
80    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
81    Sleep  15s
82    # After update, LDAP login.
83    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
84    Redfish.Logout
85
86
87Verify LDAP Config Update With Incorrect AuthenticationType
88    [Documentation]  Verify that invalid AuthenticationType is not updated.
89    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_AuthenticationType
90
91    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
92
93    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
94    ...  body=${body}  valid_status_codes=[400]
95
96
97Verify LDAP Login With Correct LDAP URL
98    [Documentation]  Verify LDAP Login with right LDAP URL.
99    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
100
101    Config LDAP URL  ${LDAP_SERVER_URI}
102
103
104Verify LDAP Config Update With Incorrect LDAP URL
105    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
106    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
107    [Teardown]  Run Keywords  Restore LDAP URL  AND
108    ...  FFDC On Test Case Fail
109
110    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
111
112Verify LDAP Configuration Exist
113    [Documentation]  Verify that LDAP configuration is available.
114    [Tags]  Verify_LDAP_Configuration_Exist
115
116    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
117    ...  ${LDAP_TYPE}  default=${EMPTY}
118    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
119
120
121Verify LDAP User Login
122    [Documentation]  Verify that LDAP user able to login into BMC.
123    [Tags]  Verify_LDAP_User_Login
124
125    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
126    Redfish.Logout
127
128
129Verify LDAP Service Available
130    [Documentation]  Verify that LDAP service is available.
131    [Tags]  Verify_LDAP_Service_Available
132
133    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
134    Should Contain  ${ldap_configuration}  LDAPService
135    ...  msg=LDAPService is not available.
136
137
138Verify LDAP Login Works After BMC Reboot
139    [Documentation]  Verify that LDAP login works after BMC reboot.
140    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
141
142    Redfish OBMC Reboot (off)
143    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
144    Redfish.Logout
145
146
147Verify LDAP User With Admin Privilege Able To Do BMC Reboot
148    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
149    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
150
151
152    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
153    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
154    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
155    # With LDAP user and with right privilege trying to do BMC reboot.
156    Redfish OBMC Reboot (off)
157    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
158    Redfish.Logout
159
160
161Verify LDAP User With Operator Privilege Able To Do Host Poweroff
162    [Documentation]  Verify that LDAP user with operator privilege can do host
163    ...  power off.
164    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
165    [Teardown]  Restore LDAP Privilege
166
167    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
168    ...  Operator  ${GROUP_NAME}
169
170    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
171    # Verify that the LDAP user with operator privilege is able to power the system off.
172    Redfish.Post  ${REDFISH_POWER_URI}
173    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
174    Redfish.Logout
175    Redfish.Login
176
177
178Verify AccountLockout Attributes Set To Zero By LDAP User
179    [Documentation]  Verify that attribute AccountLockoutDuration and
180    ...  AccountLockoutThreshold are set to 0 by LDAP user.
181    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
182    ...  FFDC On Test Case Fail
183    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero_By_LDAP_User
184
185    ${old_account_service}=  Redfish.Get Properties
186    ...  ${REDFISH_BASE_URI}AccountService
187    Rprint Vars  old_account_service
188
189    # Create LDAP user and create session using LDAP user.
190    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
191    ...  Administrator  ${GROUP_NAME}
192
193    # Clear existing Redfish sessions.
194    Redfish.Logout
195
196    # Login using LDAP user.
197    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
198
199    # Set Account Lockout attributes using LDAP user.
200    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
201    ...  body=[('AccountLockoutDuration', 0)]
202    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
203    ...  body=[('AccountLockoutThreshold', 0)]
204
205
206Verify LDAP User With Read Privilege Able To Check Inventory
207    [Documentation]  Verify that LDAP user with read privilege able to
208    ...  read firmware inventory.
209    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
210    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
211    [Template]  Set Read Privilege And Check Firmware Inventory
212
213    ReadOnly
214
215
216Verify LDAP User With Read Privilege Should Not Do Host Poweron
217    [Documentation]  Verify that LDAP user with read privilege should not be
218    ...  allowed to power on the host.
219    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
220    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
221    [Template]  Set Read Privilege And Check Poweron
222
223    ReadOnly
224
225
226Update LDAP Group Name And Verify Operations
227    [Documentation]  Verify that LDAP group name update and able to do right
228    ...  operations.
229    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
230    [Template]  Update LDAP Config And Verify Set Host Name
231    [Teardown]  Restore LDAP Privilege
232
233    # group_name             group_privilege  valid_status_codes
234    ${GROUP_NAME}            Administrator    [${HTTP_OK}, ${HTTP_NO_CONTENT}]
235    ${GROUP_NAME}            Operator         [${HTTP_OK}, ${HTTP_NO_CONTENT}]
236    ${GROUP_NAME}            ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
237    ${GROUP_NAME}            NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
238    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
239    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
240    Invalid_LDAP_Group_Name  ReadOnly         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
241    Invalid_LDAP_Group_Name  NoAccess         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
242
243
244Verify LDAP BaseDN Update And LDAP Login
245    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
246    ...  that LDAP login works.
247    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
248
249
250    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
251    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
252    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
253    Sleep  15s
254    Redfish Verify LDAP Login
255
256
257Verify LDAP BindDN Update And LDAP Login
258    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
259    ...  that LDAP login works.
260    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
261
262    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
263    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
264    ...  '${LDAP_BIND_DN}'}}}
265    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
266    Sleep  15s
267    Redfish Verify LDAP Login
268
269
270Verify LDAP BindDN Password Update And LDAP Login
271    [Documentation]  Update LDAP BindDN password of LDAP configuration and
272    ...  verify that LDAP login works.
273    [Tags]  Verify_LDAP_BindDN_Password_Update_And_LDAP_Login
274
275
276    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
277    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
278    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
279    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
280    Sleep  15s
281    Redfish Verify LDAP Login
282
283
284Verify LDAP Type Update And LDAP Login
285    [Documentation]  Update LDAP type of LDAP configuration and verify
286    ...  that LDAP login works.
287    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
288
289    Disable Other LDAP
290    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
291    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
292    Sleep  15s
293    Redfish Verify LDAP Login
294
295
296Verify LDAP Authorization With Null Privilege
297    [Documentation]  Verify the failure of LDAP authorization with empty
298    ...  privilege.
299    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
300    [Teardown]  Restore LDAP Privilege
301
302    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
303    ...  [${HTTP_FORBIDDEN}]
304
305
306Verify LDAP Authorization With Invalid Privilege
307    [Documentation]  Verify that LDAP user authorization with wrong privilege
308    ...  fails.
309    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
310    [Teardown]  Restore LDAP Privilege
311
312    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
313    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
314
315
316Verify LDAP Login With Invalid Data
317    [Documentation]  Verify that LDAP login with Invalid LDAP data and
318    ...  right LDAP user fails.
319    [Tags]  Verify_LDAP_Login_With_Invalid_Data
320    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
321    ...  Redfish.Login  AND
322    ...  Create LDAP Configuration
323
324    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
325    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
326    ...  Invalid_LDAP_BASE_DN
327    Sleep  15s
328    Redfish Verify LDAP Login  ${False}
329
330
331Verify LDAP Config Creation Without BASE_DN
332    [Documentation]  Verify that LDAP login with LDAP configuration
333    ...  created without BASE_DN fails.
334    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
335    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
336    ...  Redfish.Login  AND
337    ...  Create LDAP Configuration
338
339    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
340    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
341    Sleep  15s
342    Redfish Verify LDAP Login  ${False}
343
344
345Verify LDAP Authentication Without Password
346    [Documentation]  Verify that LDAP user authentication without LDAP
347    ...  user password fails.
348    [Tags]  Verify_LDAP_Authentication_Without_Password
349    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
350
351    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
352    Valid Value  status  [${False}]
353
354
355Verify LDAP Login With Invalid BASE_DN
356    [Documentation]  Verify that LDAP login with invalid BASE_DN and
357    ...  valid LDAP user fails.
358    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
359    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
360    ...  Redfish.Login  AND
361    ...  Create LDAP Configuration
362
363    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
364    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
365    Sleep  15s
366    Redfish Verify LDAP Login  ${False}
367
368
369Verify LDAP Login With Invalid BIND_DN_PASSWORD
370    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
371    ...  valid LDAP user fails.
372    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
373    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
374    ...  Redfish.Login  AND
375    ...  Create LDAP Configuration
376
377    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
378    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
379    Sleep  15s
380    Redfish Verify LDAP Login  ${False}
381
382
383Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
384    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
385    ...  BIND_DN and valid LDAP user fails.
386    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
387    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
388    ...  Redfish.Login  AND
389    ...  Create LDAP Configuration
390
391    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
392    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
393    Sleep  15s
394    Redfish Verify LDAP Login  ${False}
395
396
397Verify Group Name And Group Privilege Able To Modify
398    [Documentation]  Verify that LDAP group name and group privilege able to
399    ...  modify.
400    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
401    [Setup]  Update LDAP Configuration with LDAP User Role And Group
402    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
403
404    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
405    ...  Administrator  ${GROUP_NAME}
406
407
408Verify LDAP Login With Invalid BIND_DN
409    [Documentation]  Verify that LDAP login with invalid BIND_DN and
410    ...  valid LDAP user fails.
411    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
412    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
413    ...  Redfish.Login  AND
414    ...  Create LDAP Configuration
415
416    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
417    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
418    Sleep  15s
419    Redfish Verify LDAP Login  ${False}
420
421
422Verify LDAP Authentication With Invalid LDAP User
423    [Documentation]  Verify that LDAP user authentication for user not exist
424    ...  in LDAP server and fails.
425    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
426    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
427
428    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
429    ...  ${LDAP_USER_PASSWORD}
430    Valid Value  status  [${False}]
431
432
433Update LDAP User Roles And Verify Host Poweroff Operation
434    [Documentation]  Update LDAP user roles and verify host poweroff operation.
435    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweroff_Operation
436    [Teardown]  Restore LDAP Privilege
437
438    [Template]  Update LDAP User Role And Host Poweroff
439    # ldap_type   group_privilege  group_name     valid_status_codes
440
441    # Verify LDAP user with NoAccess privilege not able to do host poweroff.
442    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
443
444    # Verify LDAP user with ReadOnly privilege not able to do host poweroff.
445    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
446
447    # Verify LDAP user with Operator privilege able to do host poweroff.
448    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
449
450    # Verify LDAP user with Administrator privilege able to do host poweroff.
451    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
452
453
454Update LDAP User Roles And Verify Host Poweron Operation
455    [Documentation]  Update LDAP user roles and verify host poweron operation.
456    [Tags]  Update_LDAP_User_Roles_And_Verify_Host_Poweron_Operation
457    [Teardown]  Restore LDAP Privilege
458
459    [Template]  Update LDAP User Role And Host Poweron
460    # ldap_type   group_privilege  group_name     valid_status_codes
461
462    # Verify LDAP user with NoAccess privilege not able to do host poweron.
463    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
464
465    # Verify LDAP user with ReadOnly privilege not able to do host poweron.
466    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
467
468    # Verify LDAP user with Operator privilege able to do host poweron.
469    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_OK}
470
471    # Verify LDAP user with Administrator privilege able to do host poweron.
472    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
473
474
475Configure IP Address Via Different User Roles And Verify
476    [Documentation]  Configure IP address via different user roles and verify.
477    [Tags]  Configure_IP_Address_Via_Different_User_Roles_And_Verify
478    [Teardown]  Restore LDAP Privilege
479
480    [Template]  Update LDAP User Role And Configure IP Address
481    # Verify LDAP user with Administrator privilege is able to configure IP address.
482    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
483
484    # Verify LDAP user with ReadOnly privilege is forbidden to configure IP address.
485    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
486
487    # Verify LDAP user with NoAccess privilege is forbidden to configure IP address.
488    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
489
490    # Verify LDAP user with Operator privilege is able to configure IP address.
491    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
492
493
494Delete IP Address Via Different User Roles And Verify
495    [Documentation]  Delete IP address via different user roles and verify.
496    [Tags]  Delete_IP_Address_Via_Different_User_Roles_And_Verify
497    [Teardown]  Run Keywords  Restore LDAP Privilege  AND  FFDC On Test Case Fail
498
499    [Template]  Update LDAP User Role And Delete IP Address
500    # Verify LDAP user with Administrator privilege is able to delete IP address.
501    ${LDAP_TYPE}  Administrator    ${GROUP_NAME}  ${HTTP_OK}
502
503    # Verify LDAP user with ReadOnly privilege is forbidden to delete IP address.
504    ${LDAP_TYPE}  ReadOnly         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
505
506    # Verify LDAP user with NoAccess privilege is forbidden to delete IP address.
507    ${LDAP_TYPE}  NoAccess         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
508
509    # Verify LDAP user with Operator privilege is able to delete IP address.
510    ${LDAP_TYPE}  Operator         ${GROUP_NAME}  ${HTTP_FORBIDDEN}
511
512
513Read Network Configuration Via Different User Roles And Verify
514    [Documentation]  Read network configuration via different user roles and verify.
515    [Tags]  Read_Network_Configuration_Via_Different_User_Roles_And_Verify
516    [Teardown]  Restore LDAP Privilege
517
518    [Template]  Update LDAP User Role And Read Network Configuration
519    ${LDAP_TYPE}  Administrator  ${GROUP_NAME}  ${HTTP_OK}
520
521    ${LDAP_TYPE}  ReadOnly       ${GROUP_NAME}  ${HTTP_OK}
522
523    ${LDAP_TYPE}  NoAccess       ${GROUP_NAME}  ${HTTP_FORBIDDEN}
524
525    ${LDAP_TYPE}  Operator       ${GROUP_NAME}  ${HTTP_OK}
526
527
528*** Keywords ***
529
530Redfish Verify LDAP Login
531    [Documentation]  LDAP user log into BMC.
532    [Arguments]  ${valid_status}=${True}
533
534    # Description of argument(s):
535    # valid_status  Expected status of LDAP login ("True" or "False").
536
537    # According to our repo coding rules, Redfish.Login is to be done in Suite
538    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
539    # deviation from this rule (such as in this keyword), the deviant code
540    # must take steps to restore us to our original logged-in state.
541
542    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
543    ...  ${LDAP_USER_PASSWORD}
544    Valid Value  status  [${valid_status}]
545    Redfish.Logout
546    Redfish.Login
547
548
549Update LDAP Config And Verify Set Host Name
550    [Documentation]  Update LDAP config and verify by attempting to set host name.
551    [Arguments]  ${group_name}  ${group_privilege}=Administrator
552    ...  ${valid_status_codes}=[${HTTP_OK}]
553    [Teardown]  Run Keyword If  '${group_privilege}'=='NoAccess'  Redfish.Login
554                ...  ELSE  Run Keywords  Redfish.Logout  AND  Redfish.Login
555
556    # Description of argument(s):
557    # group_name                    The group name of user.
558    # group_privilege               The group privilege ("Administrator",
559    #                               "Operator", "User" or "Callback").
560    # valid_status_codes            Expected return code(s) from patch
561    #                               operation (e.g. "200") used to update
562    #                               HostName.  See prolog of rest_request
563    #                               method in redfish_plus.py for details.
564    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
565    ...  ${group_privilege}  ${group_name}
566
567    Run Keyword If  '${group_privilege}'=='NoAccess'
568    ...  Run Keyword And Return  Verify Redfish Login for LDAP Userrole NoAccess
569
570    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
571    # Verify that the LDAP user in ${group_name} with the given privilege is
572    # allowed to change the hostname.
573    Redfish.Patch  ${REDFISH_NW_ETH0_URI}  body={'HostName': '${hostname}'}
574    ...  valid_status_codes=${valid_status_codes}
575
576Verify Redfish Login for LDAP Userrole NoAccess
577    [Documentation]  Verify Redfish login should not be able to login for LDAP Userrole NoAccess.
578
579    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
580    Valid Value  status  [${False}]
581
582Disable Other LDAP
583    [Documentation]  Disable other LDAP configuration.
584
585    # First disable other LDAP.
586    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
587    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
588    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}}
589    Sleep  15s
590
591
592Config LDAP URL
593    [Documentation]  Config LDAP URL.
594    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
595
596    # Description of argument(s):
597    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
598
599    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
600    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
601    Sleep  15s
602    # After update, LDAP login.
603    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
604    Valid Value  status  [${expected_status}]
605
606    Redfish.Logout
607    Redfish.Login
608
609
610Restore LDAP URL
611    [Documentation]  Restore LDAP URL.
612
613    # Restoring the working LDAP server uri.
614    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
615    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
616    Sleep  15s
617
618
619Restore AccountLockout Attributes
620    [Documentation]  Restore AccountLockout Attributes.
621
622    Return From Keyword If  &{old_account_service} == &{EMPTY}
623    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
624    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
625    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
626    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
627
628
629Suite Setup Execution
630    [Documentation]  Do suite setup tasks.
631
632    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
633    Valid Value  LDAP_USER
634    Valid Value  LDAP_USER_PASSWORD
635    Valid Value  GROUP_PRIVILEGE
636    Valid Value  GROUP_NAME
637    Valid Value  LDAP_SERVER_URI
638    Valid Value  LDAP_BIND_DN_PASSWORD
639    Valid Value  LDAP_BIND_DN
640    Valid Value  LDAP_BASE_DN
641
642    Redfish.Login
643    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
644    Get LDAP Configuration  ${LDAP_TYPE}
645    Set Suite Variable  ${old_ldap_privilege}
646    Disable Other LDAP
647    Create LDAP Configuration
648    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
649
650
651LDAP Suite Teardown Execution
652    [Documentation]  Restore ldap configuration, delete unused redfish session.
653
654    Restore LDAP Privilege
655    Redfish.Logout
656    Run Keyword And Ignore Error  Delete All Redfish Sessions
657
658
659Set Read Privilege And Check Firmware Inventory
660    [Documentation]  Set read privilege and check firmware inventory.
661    [Arguments]  ${read_privilege}
662
663    # Description of argument(s):
664    # read_privilege  The read privilege role (e.g. "User" / "Callback").
665
666    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
667    ...  ${read_privilege}  ${GROUP_NAME}
668
669    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
670    # Verify that the LDAP user with read privilege is able to read inventory.
671    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
672    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
673    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
674    Redfish.Logout
675    Redfish.Login
676
677
678Set Read Privilege And Check Poweron
679    [Documentation]  Set read privilege and power on should not be possible.
680    [Arguments]  ${read_privilege}
681
682    # Description of argument(s):
683    # read_privilege  The read privilege role (e.g. "User" / "Callback").
684
685    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
686    ...  ${read_privilege}  ${GROUP_NAME}
687    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
688    Redfish.Post  ${REDFISH_POWER_URI}
689    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
690    Redfish.Logout
691    Redfish.Login
692
693
694Get LDAP Configuration
695    [Documentation]  Retrieve LDAP Configuration.
696    [Arguments]   ${ldap_type}
697
698    # Description of argument(s):
699    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
700
701    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
702    [Return]  ${ldap_config["${ldap_type}"]}
703
704
705Update LDAP Configuration with LDAP User Role And Group
706    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
707    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
708
709    # Description of argument(s):
710    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
711    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
712    # group_name       The group name of user.
713
714    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
715    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
716    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
717    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
718    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
719    # Provide adequate time for LDAP daemon to restart after the update.
720    Sleep  15s
721
722
723Get LDAP Privilege
724    [Documentation]  Get LDAP privilege and return it.
725
726    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
727    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
728    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
729
730    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
731
732
733Restore LDAP Privilege
734    [Documentation]  Restore the LDAP privilege to its original value.
735
736    Redfish.Login
737    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}' or '${old_ldap_privilege}' == '[]'
738    # Log back in to restore the original privilege.
739    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
740    ...  ${old_ldap_privilege}  ${GROUP_NAME}
741
742    Sleep  18s
743
744Verify Host Power Status
745    [Documentation]  Verify the Host power status and do host power on/off respectively.
746    [Arguments]  ${expected_power_status}
747
748    # Description of argument(s):
749    # expected_power_status  State of Host e.g. Off or On.
750
751    ${power_status}=  Redfish.Get Attribute  /redfish/v1/Chassis/${CHASSIS_ID}  PowerState
752    Return From Keyword If  '${power_status}' == '${expected_power_status}'
753
754    Run Keyword If  '${power_status}' == 'Off'  Redfish Power On
755    ...  ELSE  Redfish Power Off
756
757Update LDAP User Role And Host Poweroff
758    [Documentation]  Update LDAP user role and do host poweroff.
759    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
760    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
761
762    # Description of argument(s):
763    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
764    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
765    # group_name         The group name of user.
766    # valid_status_code  The expected valid status code.
767
768    # check Host state and do the power on/off if needed.
769    Verify Host Power Status  On
770
771    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
772    ...  ${group_privilege}  ${group_name}
773
774    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
775
776    Redfish.Post  ${REDFISH_POWER_URI}
777    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[${valid_status_code}]
778
779    Return From Keyword If  ${valid_status_code} == ${HTTP_FORBIDDEN}
780    Wait Until Keyword Succeeds  1 min  10 sec  Verify Host Power State  Off
781
782
783Update LDAP User Role And Host Poweron
784    [Documentation]  Update LDAP user role and do host poweron.
785    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}
786    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
787
788    # Description of argument(s):
789    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
790    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
791    # group_name         The group name of user.
792    # valid_status_code  The expected valid status code.
793
794    # check Host state and do the power on/off if needed.
795    Verify Host Power Status  Off
796
797    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
798    ...  ${group_privilege}  ${group_name}
799
800    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
801
802    Redfish.Post  ${REDFISH_POWER_URI}
803    ...  body={'ResetType': 'On'}   valid_status_codes=[${valid_status_code}]
804
805    Return From Keyword If  ${valid_status_code} == ${HTTP_FORBIDDEN}
806    Verify Host Is Up
807
808
809Update LDAP User Role And Configure IP Address
810    [Documentation]  Update LDAP user role and configure IP address.
811    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
812    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
813
814    # Description of argument(s):
815    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
816    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
817    # group_name         The group name of user.
818    # valid_status_code  The expected valid status code.
819
820    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
821    ...  ${group_privilege}  ${group_name}
822
823    Redfish.Logout
824
825    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
826
827    ${test_gateway}=  Get BMC Default Gateway
828
829    Run Keyword If  '${group_privilege}' == 'NoAccess'
830    ...  Add IP Address With NoAccess User  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
831    ...  ELSE
832    ...  Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}  ${valid_status_code}
833
834
835Update LDAP User Role And Delete IP Address
836    [Documentation]  Update LDAP user role and delete IP address.
837    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
838    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login  AND  Delete IP Address  ${test_ip}
839
840    # Description of argument(s):
841    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
842    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
843    # group_name         The group name of user.
844    # valid_status_code  The expected valid status code.
845
846    ${test_gateway}=  Get BMC Default Gateway
847
848    # Configure IP address before deleting via LDAP user roles.
849    Add IP Address  ${test_ip}  ${test_mask}  ${test_gateway}
850
851    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
852    ...  ${group_privilege}  ${group_name}
853
854    Redfish.Logout
855
856    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
857
858    Run Keyword If  '${group_privilege}' == 'NoAccess'
859    ...  Delete IP Address With NoAccess User  ${test_ip}  ${valid_status_code}
860    ...  ELSE
861    ...  Delete IP Address  ${test_ip}  ${valid_status_code}
862
863
864Update LDAP User Role And Read Network Configuration
865    [Documentation]  Update LDAP user role and read network configuration.
866    [Arguments]  ${ldap_type}  ${group_privilege}  ${group_name}  ${valid_status_code}=${HTTP_OK}
867    [Teardown]  Run Keywords  Redfish.Logout  AND  Redfish.Login
868
869    # Description of argument(s):
870    # ldap_type          The LDAP type ("ActiveDirectory" or "LDAP").
871    # group_privilege    The group privilege ("Administrator", "Operator", "ReadOnly" or "NoAccess").
872    # group_name         The group name of user.
873    # valid_status_code  The expected valid status code.
874
875    Update LDAP Configuration with LDAP User Role And Group  ${ldap_type}
876    ...  ${group_privilege}  ${group_name}
877
878    Redfish.Logout
879
880    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
881    Redfish.Get  ${REDFISH_NW_ETH0_URI}  valid_status_codes=[${valid_status_code}]
882
883
884Add IP Address With NoAccess User
885    [Documentation]  Add IP Address To BMC.
886    [Arguments]  ${ip}  ${subnet_mask}  ${gateway}
887    ...  ${valid_status_codes}=${HTTP_OK}
888
889    # Description of argument(s):
890    # ip                  IP address to be added (e.g. "10.7.7.7").
891    # subnet_mask         Subnet mask for the IP to be added
892    #                     (e.g. "255.255.0.0").
893    # gateway             Gateway for the IP to be added (e.g. "10.7.7.1").
894    # valid_status_codes  Expected return code from patch operation
895    #                     (e.g. "200").  See prolog of rest_request
896    #                     method in redfish_plus.py for details.
897
898    # Logout from LDAP user.
899    Redfish.Logout
900
901    # Login with local user.
902    Redfish.Login
903
904    ${empty_dict}=  Create Dictionary
905    ${ip_data}=  Create Dictionary  Address=${ip}
906    ...  SubnetMask=${subnet_mask}  Gateway=${gateway}
907
908    ${patch_list}=  Create List
909    ${network_configurations}=  Get Network Configuration
910    ${num_entries}=  Get Length  ${network_configurations}
911
912    FOR  ${INDEX}  IN RANGE  0  ${num_entries}
913      Append To List  ${patch_list}  ${empty_dict}
914    END
915
916    ${valid_status_codes}=  Run Keyword If  '${valid_status_codes}' == '${HTTP_OK}'
917    ...  Set Variable   ${HTTP_OK},${HTTP_NO_CONTENT}
918    ...  ELSE  Set Variable  ${valid_status_codes}
919
920    # We need not check for existence of IP on BMC while adding.
921    Append To List  ${patch_list}  ${ip_data}
922    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
923
924    ${active_channel_config}=  Get Active Channel Config
925    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
926
927    # Logout from local user.
928    Redfish.Logout
929
930    # Login from LDAP user and check if we can configure IP address.
931    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
932
933    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
934    ...  valid_status_codes=[${valid_status_codes}]
935
936
937Delete IP Address With NoAccess User
938    [Documentation]  Delete IP Address Of BMC.
939    [Arguments]  ${ip}  ${valid_status_codes}=${HTTP_OK}
940
941    # Description of argument(s):
942    # ip                  IP address to be deleted (e.g. "10.7.7.7").
943    # valid_status_codes  Expected return code from patch operation
944    #                     (e.g. "200").  See prolog of rest_request
945    #                     method in redfish_plus.py for details.
946
947    # Logout from LDAP user.
948    Redfish.Logout
949
950    # Login with local user.
951    Redfish.Login
952
953    ${empty_dict}=  Create Dictionary
954    ${patch_list}=  Create List
955
956    @{network_configurations}=  Get Network Configuration
957    FOR  ${network_configuration}  IN  @{network_configurations}
958      Run Keyword If  '${network_configuration['Address']}' == '${ip}'
959      ...  Append To List  ${patch_list}  ${null}
960      ...  ELSE  Append To List  ${patch_list}  ${empty_dict}
961    END
962
963    ${ip_found}=  Run Keyword And Return Status  List Should Contain Value
964    ...  ${patch_list}  ${null}  msg=${ip} does not exist on BMC
965    Pass Execution If  ${ip_found} == ${False}  ${ip} does not exist on BMC
966
967    # Run patch command only if given IP is found on BMC
968    ${data}=  Create Dictionary  IPv4StaticAddresses=${patch_list}
969
970    ${active_channel_config}=  Get Active Channel Config
971    ${ethernet_interface}=  Set Variable  ${active_channel_config['${CHANNEL_NUMBER}']['name']}
972
973    # Logout from local user.
974    Redfish.Logout
975
976    # Login from LDAP user and check if we can delete IP address.
977    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
978
979    Redfish.patch  ${REDFISH_NW_ETH_IFACE}${ethernet_interface}  body=&{data}
980    ...  valid_status_codes=[${valid_status_codes}]
981
982    # Note: Network restart takes around 15-18s after patch request processing
983    Sleep  ${NETWORK_TIMEOUT}s
984    Wait For Host To Ping  ${OPENBMC_HOST}  ${NETWORK_TIMEOUT}
985